Newly enrolled devices are not supported for this enrollment profile type by Microsoft Intune. This article is specifically relevant to existing devices that have this profile type. Microsoft suggests using Account-driven User Enrollment for new enrollments.
In a previous blog post, I covered the various types of enrollment available for iOS/ipadOS devices in Intune. If you haven't read that post yet, I recommend checking it out to gain a better understanding of Different types of iOS/iPadOS Enrollment In Intune. In this blog post, I will explain how to configure user enrollment using the company portal and provide an overview of the end-user enrollment experience.
I have written a blog that explains Account-driven User Enrollment in Intune both enrollment types are almost similar but only differ in the enrollment method
What is user enrollment with the company portal?
It is more of a streamlined enrollment process that provides admins with a subset of device management options. With user enrollment, a managed Apple ID (federated) is created on the device, and the managed Apple ID can be used in conjunction with the user's personal Apple ID. On the device, a separate volume is created containing Apps, Notes, Calendar attachments, mail attachments, keychain items, etc.
This enrollment generally creates containers or partitions for Work and Personal data that help admins secure work-related information. Work-related data can only be managed in a work container or partition, and the same applies to personal profiles. Admins can only manage Organization accounts, settings, and information provisioned with Intune. The information and settings related to a person's account cannot be managed. This protects corporate data in apps managed by the organization.
Table Of Content
Prerequisites for user enrollment with company profile.
iOS version 13 or later, and iPadOS version 13.1 or later
To use Apple User Enrollment, you need to generate and give managed Apple IDs to the enrolling users. If federated authentication is enabled by linking Apple Business Manager with Microsoft Entra ID, there is no need to create and provide individual Apple IDs for each user. Instead, a device user can access their apps using the same login credentials as their work account.
Steps to Configure User Enrollment With Company Portal
Step1: Login to Microsoft Intune admin center https://intune.microsoft.com navigate to Devices and select iOS/iPadOS
Step 2: Select iOS/iPadOS enrollment and select enrollment types.
Step 3: Tap on Create Profile and select iOS/iPadOS to create an enrollment-type profile.
Step 4: Enter the name for the enrollment type as required and the description if needed ( for demonstration purposes I had only entered a name for the profile as it is mandatory ) and tap on Next to continue
Step 5: Select user enrollment with the company portal and tap Next
Step 6: Select a group or all users as required, in this example, I will be using a group, tap Select to add the group or users and tap Next to continue
Step 7: Verify the settings and select Create to complete the profile creation.
Now the profile is created
Let's see the end-user experience
Download Intune Company Portal and Microsoft Authenticator from the App Store, enter your user principal name or email address, and tap on Next, this will sign in to your account to the company portal which will take you through other steps like multifactor authentication or the IDP settings by the organization.
Once the user signs in to the company portal, the device will start the enrollment process tap on Begin to start the enrollment, for user enrollment with the company portal you need the Microsoft Authenticator app as a pre-requites if the app is already available this will register the account if not the page will take you to download the app. Once Microsoft Authenticator is downloaded you can see the Install Microsoft Authenticator check box is green tap on Continue
Next, it will take you to Review privacy information On this page you can see the Can't and Can options which will help the user understand what the organization can see and can't see, tap on continue the enrollment
Tap on Continue to start the download of the Management profile, to start the download tap on Allow, to complete the installation of the profile navigate to settings on your iOS/iPadOS, Select Enroll in "Your Organization's Name" and enter the device passcode to continue the enrollment
Now you can see the Organization name and Apple ID (which will be your manage Apple Managed ID), tap on Enroll My iPad ( since I am enrolling an iPad it is showing as iPad, this will be different according to the device that you are enrolling ) this will take you through the sign-in page and if multifactor authentication is enabled that as well once sign-in is completed tap on Continue.
You can see the management profile details from the device settings by navigating back to the company portal app
You can see the device is ready and tap on Done to complete the enrollment process
The data separation is created upon the completion of enrollment, apple will create separate encryption keys for user and work data, and the encryption keys are securely destroyed once the device is unenrolled by the user or retired by the admin. You can see the data separation for iCloud, notes, and reminders and the same applies to other applications as well.
On the admin end, they can only manage organizational data remotely as options like wipe are grayed out. These types of enrolled devices can only be retired.
How to Remove the Management Profile
Users can remove the management profile by tapping the Remove Management Option, the user needs to provide the device passcode tap on Done, and tap on Remove all the applications and data associated which is almost the Retire option.
Conclusion
This blog post will provide you with a clear and concise set of instructions on how to enroll iOS/iPad OS devices using the User Enrollment method with the Company Portal Enrollment type.